Search Engines: Balancing Data Retention with Privacy

One of the most topical and ongoing issues in the online world is the need to protect people’s privacy and identity, something which Google is very vocal about wanting to do. Google’s dominant presence in the online world and the fact that its business revolves around receiving personal information from its users has made it a prime target for the European Union’s independent data protection and privacy advisory body, the Article 29 Data Protection Working Party.  

 

The momentum of the Article 29 Working Party’s dialogue with Google on its data protection/privacy policies has been stepped up over the last few months. This article looks at both parties’ stance, the steps Google has been taking to strike a balance between privacy, security, innovation and its legal obligations, and the extent to which Google is subject to EU data protection/privacy laws.

 

Google’s data retention policies

 

On 14 March 2007, Google issued a statement on its Web site informing users of the steps it would be taking to further improve its privacy policies.1 According to the statement, Google collected information about “your search, such as the query itself, IP addresses and cookie details” and kept such information “for as long as it was useful”. Google said it would implement its new policy to “anonymize [its] server logs after a limited period of time” in the coming months but that it would “continue to keep server log data … but will make this data much more anonymous, so that it can no longer be identified with individual users, after 18-24 months”.

 

On 11 May 2007, Google issued a further statement listing three factors which were “critical” to its decision on retaining server log data:

 

•   maintaining Google’s ability to “continue to improve the quality of our search services”;

 

•   protecting Google’s “systems and our users from fraud and abuse”; and

 

•   complying with “possible data retention requirements”.

 

In a report² published by Privacy International on 9 June 2007, Google is cited as the most “hostile” internet company on privacy practices.

 

Article 29 Working Party response

 

The Article 29 Working Party responded³ to Google’s 14 March statement expressing concerns over the 18–24 month retention period, stating that it did not “meet the requirements of the European legal data protection framework” and citing Article 6(1)(e) of the Data Protection Directive,⁴ which permits personal data to be kept “for no longer than is necessary for the purposes for which the data were collected or for which they are further processed”.  The Article 29 Working Party also:

 

• sought clarification as to the extent to which the anonymised data still contains significant information about a user and whether such anonymisation is reversible;

 

• queried how Google has implemented the Resolution on Privacy Protection and Search Engines;⁵ and

 

• stated that the 2038 expiry date of the Google cookie is disproportionate, and goes beyond what is strictly necessary for the provision of the service.

 

Google posted a further statement on its Web site on 12 June 2007 together with a link to its 10 June 2007 response letter to the Article 29 Working Party.⁶ In its letter, Google stated that, whilst it believed the 18-24 month retention period complied with data protection law, it would anonymise search server logs after 18 months but that “future data retention laws may obligate us to raise the retention period to 24 months”. The Vice President of the EC, Franco Frattini has said that this is “indeed a good step, I have appreciated the commitment of Google not only to meet our expectations in terms of protection of privacy or better on cutting the time and reducing the time of retention of personal data”.

 

Is Google subject to EU data protection/privacy laws?

 

As a result of being headquartered in the US and operating globally, Google is under a legal obligation to comply with EU data protection/privacy legislation.

 

The second statement from Google acknowledged the Data Retention Directive⁷ and that Google may be subject to it. The Retention Directive deals with the retention of data generated or processed in connection with the provision of publicly available electronic communications services or of public communication networks. Its aim is to ensure that certain data is retained to enable public authorities to undertake their lawful activities to investigate, detect and prosecute crime and protect the public. Articles 1 and 2 of the Retention Directive impose an obligation only in relation to data generated or processed as a consequence of a communication or communication service and so will include traffic and location data, but not the contents of a communication.

 

Under the Retention Directive, EU Member States have until 15 September 2007 to implement its application to fixed line and mobile telephony providers and, if they decide to postpone, until 15 March 2009 to implement its application to internet access, internet telephony and internet email. In March 2007, the UK Government issued draft regulations, the Data Retention (EC Directive) Regulations 2007 and a consultation paper.⁸ The UK will be delaying application of the 2007 Regulations to internet access, internet telephony and internet e-mail until 15 March 2009 and, until such time, communication providers are encouraged (if they do not already do so) to abide by the code of practice on voluntary retention of communications data, which was drawn up by the Secretary of State following powers given to him under the Anti-Terrorism, Crime and Security Act 2001, s 102.⁹ The consultation process on the 2007 Regulations ended on 11 June 2007.

 

Comment

 

It is unlikely that Google’s justification for retaining server log data to improve the quality of its search services and to comply with security-related obligations elsewhere will be regarded as acceptable by the Article 29 Working Party, because Article 6(1)(e) of the Directive only permits Google to keep such data “for no longer than is necessary for the purposes for which the data were collected or for which they are further processed” (ie for no longer than a user’s search session, unless that user has consented to his/her information being retained so that he/she can carry out further searches in the future).

 

In its 10 June letter, Google queries what an electronic communication service provider is and whether it would include Google services, such as Gmail, Google Talk, or Google Search. It is unlikely that Google will be able to avoid compliance with EU legislation on data retention for its Gmail and Google Talk services. The Retention Directive only applies to data that is generated or processed by providers of publicly available electronic communications services or of public communications networks and, even if Google’s search service was caught on a wide interpretation of this, it would be unlikely that the categories of data given in the Retention Directive could be extended by EU Member States in their implementing legislation to cover the contents of a search query.

 

Google’s ongoing dialogue with the Article 29 Working Party will no doubt continue to be hugely publicised and companies in similar positions will be watching very closely.

 

 

Lisa Comber is an Associate in the London Commercial and Technology Practice of Faegre & Benson LLP: lcomber@faegre.com

 

An extended version of this article was published in e-Commerce Law & Policy, Volume 9, issue 6, June 2007.